tia/docs/database-setup.md

Database Setup

Manual Migrations

This directory contains SQL migrations that require superuser access and are applied manually.

Applying Migrations

Apply with psql:

# Connect as superuser
psql "$DATABASE_URL_SUPERUSER" -f drizzle/manual/01-app-role.sql

Environment Variables

• DATABASE_URL - Application connection (as tia_app role)
• DATABASE_URL_SUPERUSER - Superuser connection (for migrations only)

Migration 01: App Role

File: 01-app-role.sql

Creates tia_app role for application connections.

Before applying:

1. Change the password in the SQL file to a strong random value:

   CREATE ROLE tia_app WITH LOGIN PASSWORD 'your-secure-random-password';
   

2. Update DATABASE_URL in Dokploy to use tia_app:

   postgresql://tia_app:your-password@host:5432/tia
   

Apply:

psql "$DATABASE_URL_SUPERUSER" -f drizzle/manual/01-app-role.sql

After applying:

• Test application works with new role
• Verify tia_app can SELECT/INSERT/UPDATE/DELETE
• Verify tia_app CANNOT DROP tables, CREATE TABLE, or ALTER ROLE

Migration 02: Enable RLS

File: 02-enable-rls.sql

Enables Row-Level Security on all family-scoped tables.

Apply after H2.1 and H2.2 are complete:

psql "$DATABASE_URL_SUPERUSER" -f drizzle/manual/02-enable-rls.sql